SEC hunts cyber criminals accused of using stolen information for insider trading

Expecting a data breach? You need to hire a hackerLast December, a special report from FireEye (Hacking the Street? FIN4 Likely Playing the Market) investigated a group of cyber criminals that had attacked more than 100 corporate targets via spear phishing emails. The criminals gained access to confidential information – including details of merger and acquisition discussions – that they exploited to play the stock markets. FireEye called this group FIN4.

According to FireEye, “over two-thirds of [targeted companies] are public healthcare and pharmaceutical companies. The remaining targets include advisory firms that represent public companies and a handful of public companies in other sectors closely followed by market watchers. All but three of the public companies are listed on the NYSE or NASDAQ, with the remaining three listed on non-US exchanges.”

Reuters now reports that the Securities and Exchange Commission (SEC) is investigating FIN4.

John Reed Stark, a former head of Internet enforcement at the SEC, said it was an “absolute first” for the commission to approach companies about data breaches as part of an insider trading investigation. He told Reuters:

“The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading.”

SEC investigations typically pursue company insiders and their associates – not strangers that have gained access to corporate networks and confidential information by harvesting login credentials via phishing emails.


Phishing and, to a lesser extent, spear-phishing scams affect all organizations. From a criminal perspective it’s far easier, after all, to gather legitimate user credentials that you can use to access a company’s network than it is to hack it. Every day, 156 million phishing emails are sent, 15.6 million make it through spam filters, 8 million are opened, 800,000 recipients click on the links, and 80,000 of them unwittingly hand over their information to criminals.

If you’re concerned about your staff’s susceptibility to phishing attacks, you may be interested in:

IT Governance’s Phishing Staff Awareness Course will enable you and your team to understand how cyber criminals operate, how they plan and execute their phishing campaigns, and how to spot and avoid phishing tactics.

Our Employee Phishing Vulnerability Assessment will identify potential vulnerabilities among your employees and provide recommendations to improve your security, giving you a broad understanding of how you are at risk and what you need to do to address these risks.

Click the image below to view our phishing infographic